Solvency II and the need for Operational RiskSince the European Council has postponed the deadline for Solvency II to January 2014, insurance companies have bought themselves more time to prepare for Solvency II. Most insurance companies are already working on the quantitative side of Solvency (Pillar I of the solvency model, capital requirements) but have not started on the qualitative part (Pillar II, Operational Risk). According to visionaires, the biggest risk for insurers is in Operational Risk!

Interesting enough these organizations do not know how to respond to Own Risk Solvency Assessment (ORSA) requirements and the local regulators are not providing much guidance on this. From what I hear from my clients is that they are looking for guidance how to implement Operational Risk for Solvency II. This is where IBM OpenPages can help you. We have done this for many clients already, even in joint effort with business partners in the risk consulting area.

In fact, Operational Risk is no rocket science. Let me guide you through the process that one of my clients has taken.

1. Risk Governance and CultureThis is a reflection of your policies in place to govern your risks, and the risk culture in your organization. My client reviewed how risk awareness was embedded in the daily processes and which policies were in place to manage risks in the business.

2. Risk Identification and PrioritizationMy client conducted workshops guided by a risk expert to identify risks in the current processes and aligned to the strategic business goals. Through the outcome of risk assessments he was able to prioritize risks.

3. Risk response formulation and Control designNow we understand the impact (also called inherent risk exposure) we can start talking about how to create a risk response. Is a risk response needed, can we assure the risk, can we ignore / accept the risk or should we come up with mitigating controls? And of course since risks are not completely new what controls do we already have in place. Compliance and Audit has played an advising role in the formulation of the response and the (re)design of these controls.

4. Risk monitoringHaving the understanding of our risk environment and the outcome of the risk exposure we started developing risk monitoring by reporting, dashboarding and risk analysis. This gives answers to the questions where are we today and how did we get there? Subjects like risk appetite, risk tolerance and risk limits were formulated.

5. Issue and Action ManagementLast step we took to close the loop was answering the question what will we do about it? What actions will be taken by whom and when? A centralized approach to action management was a great relief to our CRO. Main benefit was the ability to provide auditors and the board with an integrated view on all actions and the follow up progress.

Best practice is to start with a single, but simple risk and control framework. Do not try to automate everything in the first phase, keep it simple first and try to get the basic process of risk management running. Once this is done you can start automation in phase II. Only automate where you can benefit from it, where it will save you significant amount of time.

Phase II is really about automating manual processes. With automation I mean workflow in risk and control assessment processes and alerting & notification. For example coming to a final judgment on risk impact and likelihood has been a manual process where only the final result was stored in the system. Next step to get a better qualified result can be the setup of automated questionnaires / voting system where first a decentralized voting will be done and a centralized final verdict will be held in a group workshop. A decentralized first round has proven to give a better and more effective (read shorter) discussion and a better final judgment on the risk assessments. Another example of automation is the collection of losses. Up till now they were kept in Excel sheets and uploaded in the system. Qualifying the categories in which the loss belongs and the validation of the loss can be a time consuming process. Automating this process will help the person registering the loss to make a correct classification and will speed up the process to validate the loss including the assessment of the impact and the recovery.

Phase III is the step to the next maturity level. You have an understanding now how risks and controls are related to each other, so you can bring KRIs (Key Risk Indicators) in place. With these KRIs in place you will have an early warning system available that helps you respond in a timely manner. This will shorten the time to respond to failures and might even prevent a loss from happening. Also non financial risk dashboards and scenario analysis are steps that fit in this next level of maturity. Scenarios can help you to better calculate your capital requirements. Through risk assessments you can get the business input of what losses are likely to happen in the near and longer future. The more sample data you put in your calculations the better the outcome will be.

The last phase is about automating control testing. Here you start looking for control tests that can be done automatically. Especially control tests performed on a frequent basis and performed systematically might be nominated for automation. Examples can be found in General Ledger systems, like samples of invoices that can all be matched with PO numbers or IT tests (endpoint tests) like are all harddisks containing sensitive data encrypted or do all systems have password changed every month.

A client of mine recently asked me about what I have seen as the most effective way to run a selection process. Now I know this may seems a conflict of interest, a GRC solution vendor writing on the GRC software selection process and the need for a GRC platform. Still I think I can give you some dos and donts on a GRC software selection process since I have been there many times.

Let’s start with the need for a GRC software platform. Why do you need such?

Of course investing in a solution needs a compelling event. Either the cost for risk management and compliance becomes very high, or the process takes too long to be responsive to stakeholders or the 'in control' statement cannot be guaranteed any longer. Also external regulators can advise you to implement software.

Before you start thinking about a GRC platform carefully review the risk and compliance maturity level of your organization and the scope of the problem. This will help you make the judgment between 2 approaches. First approach is what we call 'point solution', second approach is 'enterprise solution'.

The first approach, Point Solution, is best when the compelling event is there but the scope is limited to one area. On a single point of your GRC activities you have a pain that must be resolved in a fairly short term. In this case you can search for specific capabilities with specific knowledge. You can make a selection of vendors that operate in the area where you have the pain and select the partner that understands your area. Of course you might want to consider your ambition on the long term. If your long term ambition is Enterprise wide GRC integration you might still look at enterprise vendors and use the specific area as a 'pilot' for further extension.

The second approach, Enterprise Solution, is best when the compelling event is on the integration of Governance, Risk and Compliance. The term risk and control convergence often comes up here. This approach requires a lot more work than the point solution and may have cultural impact. You might consider a second party to help you go through this project. A second party (consulting firm) can help you in making critical decisions and in reviewing your current (silo based) approach to GRC. They can keep the holistic view for you. Every silo needs to be reviewed and mapped to the enterprise approach. This will not come without discussions and sacrifices!

So the need is there, now how to make your selection?

In the first point solution approach there are just two considerations, short term or long term? In case of the short term do NOT select an enterprise vendor and go for the right point solution. Advantages are lower cost and shorter implementation time. Second consideration, long term, means a selection between enterprise GRC software vendors and consider the first phase as a pilot for the enterprise approach. Still you might want to involve a consulting firm with specific knowledge.

In the second enterprise approach you will go for an enterprise vendor. This is where you want to be careful in setting up your selection. I personally have seen many of these selection processes since I have been in such selections. And this is where I want to give you some guidance to save you a lot of time and money.

First do NOT expect the enterprise vendors to differentiate on functionality. The GRC software market has made an evolution in the last 10 years that have resulted in a fairly high mature software market. So a 'beauty contest' is a waste of money and resources. Outcome will be equal for all vendors and you will be stuck between your user community and the vendors in the process. You might get questions from your management team why you spend so much time and resources without any outcome.

Secondly involve your end users in the selection process early, but do not expect 20 people working in silos to come to one single conclusion. Again you will end up in a long discussion with no outcome. Have a small group of people (3 preferably) to make the selection.

Thirdly make your selection criteria known upfront and make them measurable. Also involve the vendors in the process and be open to them. If you are open and honest you will get transparent, open and honest answers. If you hide, vendors will hide! Criteria should be based on experience in your market, understanding of your organization, size and financial stability, ability to deliver in time and within budget, alignment of implementation approach to your implementation methodology and the cultural fit.

Again this may look preaching to the choir but I hope I just saved you time and money that you can invest in your implementation.

Last
week I came across project risk, and not for the first time! So, time to spend
some words on this topic.

Especially
organizations in Energy&Utilities and Manufacturing have huge risks in
their assets and in their projects. You think you have all risks identified
through the standard risk identification process and you just missed that
elephant?! This might impact your yearly financial result or worse!

This
is why more and more clients start to look at Project Risk methodologies. My
client happened to use the PMBOK methodology. In this methodology you consider
standard project phases including standard risks and controls. This is great,
since you have most of the standard risks covered. But what about that risk
that is just not standard? This is where gate reviews will help you. These gate
reviews are held after every project phase. Each gate review contains questions
used to identify risks, holds monitoring methodologies to check status and
behavior and contains audit like activities. Key element here is that all
findings roll up to top level so no significant risk can be missed.

This
all works for what we call manageable risks, but what about risks that you
cannot manage? How will you anticipate on this? Well these risks can be covered
by sensitivity analysis, simulations and business continuity management.
Especially sensitivity analysis and business continuity analysis will help you.
For simulations you will need data, and a significant amount of data. Only in
case you have many similar projects running in a regular cycle you will be able
to generate enough risk identifications and losses to be able to make a sensible
calculation like Monte Carlo simulations.

Now
the system is in place, and now we are in control? Wrong! This is where the
real work starts. How do I get my organization to adopt risk in her daily
business? How do I get input with the right quality? How do I make everyone a
risk manager? This takes time and effort. Guide your people in how to make the
assessments and make them part of it. Give them back where they contributed to,
and make their life easier. That is what we call Smarter Risk.

IBM
OpenPages and Deloitte have put together a Risk Methodology for project risk
where all these technologic and organizational aspects come together and can be
integrated in your enterprise risk platform.

IBM Watson goes
to work in financial services as a risk expert. One of the largest Financial
Services institutes and IBM now partner to enhance and simplify the consumer
banking experience with faster, more accurate decisions, better risk
assessment, and more targeted customer offers.

IBM Watson is
transforming expectations for how technology can help individuals live and work
in better ways. Its ability to make sense of vast quantities of unstructured
information, communicate in natural human language, learn from experience, and
offer confidence weighted responses is already a game changer in healthcare. Focusing
these capabilities on financial services brings new possibilities for higher
service levels to an expanded set of users.

For those who do
not know IBM Watson, Watson is an artificial intelligence computer system
capable of answering questions posed in natural language, developed in IBM's
DeepQA project. As a test of its abilities, Watson competed on the quiz show
Jeopardy!, in the show's only human-versus-machine match-up to date. In a
two-game, combined-point match, broadcast in three Jeopardy! episodes February
14–16, Watson beat Brad Rutter, the biggest all-time money winner on Jeopardy!,
and Ken Jennings, the record holder for the longest championship streak (74
wins).

Now what will
that bring to our Financial Service clients? Potentially as an assistant to
client service professionals to help deliver evidence-based recommendations
across multiple areas of the bank, including: credit card; private banking;
wealth management; and call centers. Since IBM Watson can think faster than any
human being it is able to make cross checks, prevent fraud, determine risk,
etc. It is able to analyze data such as client information, online news
reports, blogs, Twitter feeds, analyst reports, regulations, credit ratings,
and government securities filings which can help to suggest options targeted to
a consumers' individual circumstances.

With the brand-new IBM Cognos Insight you can now connect to your IBM OpenPages environment from your desktop. You always have that moment that you need the information on a report but just a bit different than the standard report provides to you. The solution is here now, IBM Cognos Insight!

Insight is a powerful, intuitive desktop solution, that can read many different data sources from Excel to datawarehouses. Even your real time IBM OpenPages environment!

And it is not only reporting and dashboarding but it also lets you create what if scenarios on the fly! How would my risk exposure be if in one risk category the loss impact increases with 15%? Two clicks and you know the answer! And then you can comment on your report, which gives your colleagues more information on the context the moment you share your workspace.

This is the last in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.

Getting to the Head of the Class: Advancing Your Organizations GRC Maturity

Organizations with GRC processes siloed within departments operate at the Unaware, Fragmented, or Integrated stage. At these stages GRC may be effective within a silo, but lacks an enterprise perspective of risk and compliance and gains no efficiencies from shared processes. Different departments may be at different levels of maturity.

The Aligned and Optimized maturity levels represent maturity of organizations with an enterprise GRC strategy, focused on developing a common GRC process, information and technology architecture. These organizations report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on risk and compliance in a dynamic business environment, and greater effectiveness through the ability to report and analyze risk and compliance data from across the business. The primary difference between the Aligned and Optimized stage is the integration of GRC in the context of business performance, strategy and objective management. Organizations on this journey are successful when they have top-down support from executive management, and when various risk and compliance functions cooperate with the strategy to collaborate and share information and processes.

Considerations for Moving From Fragmented to Integrated

Departments at the Fragmented stage have siloed approaches to risk and compliance at the department level. This means no integration or sharing of risk and compliance information, processes or technology.

Considerations for Moving From Integrated to Aligned

Departments at the Integrated maturity stage are in a good place to lead the organization in an integrated GRC strategy to the Aligned stage. They have a strategic approach to GRC at the department level, supported by mature GRC processes that can be extended to other departments. These organizations have a shared-services approach to GRC to deliver common processes and integrated information.

To move from the Integrated to the Aligned stage requires a common risk catalog that shows the relationship of risks across the business and risk ownership. The purpose is to enable the business to make risk-informed decisions. Organizations should leverage risk insight to improve planning and strategic decisions. A common governance model for GRC is used across lines of business, functions and processes. The organization needs a common GRC methodology and taxonomy in place, supported by shared services. GRC architecture must be extensible and configurable with strong business intelligence capabilities. Organizations at this level report process efficiencies reducing human and financial capital requirements, greater agility to understand and report on risk and compliance in a dynamic business environment, and greater effectiveness through the ability to report and analyze risk and compliance data from across the business.

Considerations for Moving From Aligned to Optimized

To difference between the Aligned to Optimized stage is primarily one of context. At the Aligned stage the organization provides a consistent approach to managing GRC across the business. This is supported by an established GRC process, information and technology architecture. While GRC is understood in the context of the business it is still focused more on risk and compliance than performance and strategy. At the Optimized stage, the organization has performance, strategy and objectives setting the context.

Achieving the Optimized stage requires GRC expectations set as part of the annual strategic planning processes. The organization has extensive measurement and monitoring of GRC in the context of business strategy, performance and objectives. There is shared information and technology between risk, control and compliance management as well as decision support, optimization and business intelligence. The organization has integrated risk and finance data to drive performance and maximize value creation.

Fundamental Steps to Establishing Your GRC Strategy

To achieve the benefits other organizations have seen from a GRC strategic plan and common approach, Corporate Integrity recommends the following next steps:

Gain executive support and sponsorship of the GRC strategy: The organization needs to work in harmony on GRC. Different groups doing their own thing handicap the business. Executive support is the key to ensure that risk and compliance silos work together.

Establish a dedicated cross-functional team focused on a common GRC approach: Due to the complexity of business, it is necessary to dedicate a cross-functional team to oversee ongoing harmonization of GRC processes, integration of GRC information, continued collaboration across risk and compliance functions, and ongoing execution of the GRC strategic plan. This group identifies strengths within existing functions and enables other areas to benefit from them. The goal of this team is to develop shared framework, processes and information.

Define an enterprise risk framework and catalog: Companies must document and prioritize enterprise risks in a structured taxonomy. This includes defining who owns the risk, the subject matter expert for the risk and which function or process monitors the risk. Policies, controls and events must be mapped back to the enterprise risk framework.

Develop harmonized processes: Key to success is identification of shared processes and information for GRC across the enterprise. This includes identifying technology solutions to support integrated information and process architecture.

Focus on quick wins: The company must develop GRC project timelines focused on quick wins, where economies can be gained quickly and the value of GRC proven. From there, the company can move on to more detailed issues that can achieve significant efficiencies, but take longer to integrate and implement.

Visionis IBM’s global conference for finance and risk professionals to help improve planning, budgeting and forecasting, identify and mitigate risk, and meet the demanding requirements of XBRL, IFRS, Basel II and Solvency II with greater confidence.

I talked to Mauboussin about his book, making data-driven decisions, some common pitfalls as decision makers, and his upcoming talk at Vision.

“What's very exciting is that in the last half dozen years, we've had a real influx of data, and we're now just learning how to tap that data for the benefit of better decision making,” said Mauboussin. “Now we can create a better intersection between value creation and making decisions.”

The problem however, according to Mauboussin, is that we still have the same cognitive makeup and the propensity to make common mistakes.

“We often think about our own decision making as being objective and fact based and rationale. And we tend to underestimate systematically how important the social context is for our decision making,” said Mauboussin.

To illustrate this point he told an interesting story from his book.

Researchers went into the wine section of a supermarket and set up French and German wines next to each other that were roughly matched in price and quality. Over a two week period they alternated playing distinctively French and distinctively German music to see if it would have any influence on purchase decisions.

Surprisingly, they found when French music played people bought French wine 77 percent of the time, and German wine 73 percent of the time when German music played. When asked if music affected their selections, the consumers unanimously said no.

“This basic experiment can be extrapolated to a lot of organizational settings where we think of ourselves as trying to be conscious and mindful as we make decisions. But indeed what is going on around us can be deeply influential to our decisions,” said Mauboussin.

So what do we do?

According to Mauboussin, integrate more data into quality decisions. However, there is still a tension between the intuitive, go by the seat of the pants experience group versus the analytically-minded group.

“Either extreme is not going to work but a blend between the two is right way,” said Mauboussin.

Read the rest of the interview with Michael Mauboussin on the Business Analytics Blog here.

The head of the SEC's Office of Compliance Inspections and Examinations, Carlo di Florio, recently spoke about what his 900 professionals look for in conducting examinations of a wide range of financial institutions – noting the OCIE is breaking new ground. In carrying out its mission to improve compliance, prevent fraud, monitor risk, and inform policy, di Florio's office is expanding its focus to include boards of directors. In considering a firm's compliance culture, the OCIE is entering into direct discussions with boards of directors, to get a sense of the board's as well as senior management's attention to and focus on regulatory compliance issues. di Florio didn't name names, but media reports say such discussions already have taken place with the likes of Goldman, Morgan Stanley, Barclays and Wells Fargo. He did say that the new focus is due in part to the fact that a firm's compliance culture is an "elusive concept and a real challenge," having a huge impact on the extent to which a firm engages in ethical conduct, also noting the need to integrate compliance within risk governance processes.

If you've encountered Carlo di Florio, you may have observed a soft spoken, gentle demeanor and charming personality. But that shouldn't be misinterpreted for anything less than a hard-nosed and rigorous approach on the part of him and his staff. Having worked with him in our “past life,” I can assure you that he is not only thoughtful and creative in approach, he can be relentless in pursuing objectives.

OCIE's approach is multifold, focusing first on review of a firm's polices and related procedures, including policy management and flexibility in dealing with evolving conditions. There's focus on effectiveness of communication and training, and on such matters as how a firm assigns responsibility and handles accountability. Also in its sights are monitoring and testing processes, protocols for communicating issues upstream, and internal whistleblower processes. di Florio notes that the better the internal processes, the less OCIE will need to do. Highlighting its insightfulness, OCIE looks at such critical matters as where the power lies – the business side or legal/compliance – how bonus pools are allocated, independence of compliance staff, and involvement in critical decision-making. Also, the extent of compliance contributions of business units in performance assessment and reward processes are considered.

With all this, the focus on board of directors is consistent with attention to the tone at the top of a firm. Carlo di Florio is moving the lines, and I've no doubt he and his staff will have a sharper focus on and greater insight into what drives compliance.

We know the Justice Department and SEC in recent years revved up enforcement of the Foreign Corrupt Practices Act, which certainly has gotten the close and widespread attention of the business community. With the vast majority of U.S. companies large and small operating globally, general counsels, compliance officers, boards of directors, and other business executives are focusing on related risks and controls. And now the U.S. Chamber of Commerce’s Institute for Legal Reform, noting that companies want to comply with provisions of the FCPA but unclear enforcement makes it challenging, thinks "it is common sense that the rules of the road are clarified." As such, the Chamber has put forth five recommendations: Adding a compliance defense, limiting liability for the prior actions of an acquired company, adding a “willfulness” requirement for corporate criminal liability, limiting liability for acts of a subsidiary, and defining what constitutes a "foreign official."

It appeared these proposals might gain some traction, and then along came Wal-Mart. The charges of bribery in Mexico and subsequent cover-up seems to have dampened interest in modifying, or some would say softening, the FCPA and related enforcement. Certainly Wal-Mart has put tremendous effort into successfully lobbying legislators in both parties – and supporting the President’s initiatives in health coverage and pollution control, and the First Lady’s on healthy foods to combat childhood obesity – all of which may serve the company in good stead in containing political fallout. But we can also expect notoriety around the Wal-Mart case to signal the continued relevance of the Act and deflect efforts to weaken it.

It seems there’s an interesting analogy here, where the Wal-Mart bribery case might be to the FCPA what WorldCom was to Sarbanes-Oxley. After Enron imploded, there was stirring inside the Beltway about need for legislation, but nothing much was expected to happen – until a few months later when the WorldCom fiasco hit the headlines, thereby generating momentum that turned into a rush to get a law passed. In this instance, it may well be the converse – a law that might have been weakened is more likely to stay as is, with continued strong enforcement by regulators. We’ll stay tuned to see what transpires.

In
this session I will take you through the most common questions I received from
our customers facing Basel II and Solvency II. I will help you understand the
challenges from an Operational Risk perspective and speak about how my clients
have overcome these challenges.

Risk
Convergence, Risk Adoption, Risk Montoring, Loss Registration, Risk Reporting
and Dashboarding and Regulatory Reporting are topics that will be discussed in
this session.

A key theme at Vision 2012, IBM’s three-day user conference for Finance and Risk professionals, is how organizations can leverage enterprise risk information to make better decisions while balancing the demands for risk oversight and regulatory compliance.

The current complex and dynamic regulatory environment is a particular challenge for risk and compliance directors.For instance, while organizations covered by Dodd-Frank must respond to current regulatory reporting requirements, less than a third of the associated rule-making has been finished.

So, risk and compliance professionals must put in place an approach to meet regulatory requirements that can easily adapt over time as regulations evolve, and this approach includes the capability to adapt internal policies to keep pace with the evolving regulatory environment.

This new solution enhances the ability to make risk-aware business decisions, enables companies to react more quickly to regulatory changes through better policy management, and decreases costs and complexity of compliance.

Leveraging the IBM Cognos business intelligence platform, OpenPages 6.1 delivers interactive reports and dashboards that allow business managers to turn that risk information into insight and insight into better business outcomes.

As a compliance officer, you’re dealing with increased regulation and expectations, while related resources are subject to budgetary constraints. Yes, senior managements read the headlines and recognize the reputational and related risks associated with legal and regulatory compliance. But what I and others see are compliance functions having to do more, often without a commensurate increase in resources.

These observations are consistent with a recent Thomson Reuters survey of financial services companies’ compliance professionals. The survey shows that compliance officers are struggling to keep up with increasing demands of global regulation – where rapidly growing regulations and increasing responsibilities, together with limited resources and constrained budgets, are causing compliance personnel to reached a “saturation point.” A whopping 84 percent of respondents say they expect to deal with more information from regulators and exchanges this year, with almost half expecting the level to be "significantly higher." The increase is expected to come from such events as splitting of the U.K. Financial Services Authority, added regulatory power of the European Supervisory Authorities, expansion of new and existing U.S. regulatory agencies resulting from Dodd-Frank, and expanded enforcement of such regulations as the U.K. Bribery Act and the U.S. Foreign Account Tax Compliance Act.

The survey results show that compliance responsibilities and expectations are diverging from realistic capabilities. For instance, with a key objective being to coordinate with other company professionals involved with regulatory risk, over half of compliance professionals say they spend less than one hour weekly with internal audit colleagues, and one third spend less than one hour per week with legal and risk professionals. And while 70 percent of respondents expect the cost of senior compliance staff to increase this year, only 11 percent of companies expect a significant increase in budgets.

Also interesting in the statement that: “While keeping executive management informed of regulatory issues is a key part of the compliance role, more than a quarter of respondents say they spend less than one hour a week reporting to their boards. In the U.S., more than half of the companies surveyed spend less than one hour a week reporting to their boards. This raises concerns about whether executive management is being kept sufficiently informed on compliance issues.” Well, it’s not entirely clear from this as to the extent of interaction between compliance officers and senior management – one hour a week with the board may be just fine, as long as there’s significant interaction directly with executive management.

In any event, what we see is compliance departments already working at a fast pace with high efficiency, but they face risks going forward if responsibilities and resources aren’t recalibrated to be in sync.

Chief Compliance Officers, General Counsels and other business executives have long been pushing regulators to provide clarity around the FCPA and more consistent (and appropriately fair) enforcement. Well, companies finally have something reasonably definitive to look at which shows how a well-constructed compliance program implemented in good faith can have extremely positive consequences – it’s the recent Morgan Stanley case, which we’ll get to in a moment.

At the other end of the spectrum is the Wal-Mart fiasco. You know the story – senior Wal-Mart executives knew of millions of dollars being paid to government officials in Mexico to aid expansion in that country, but shut down an investigation. The Justice Department and Securities and Exchange Commission are all over this, and things will not go well for the company. The last thing the DOJ or SEC looks favorably on is executives not reporting a suspected or known violation, and not conducting a full and comprehensive internal investigation. Now proxy advisory firms ISS and Glass Lewis, as well as major public pension funds, are recommending that Wal-Mart shareholders vote against members of the board of directors for neglecting their responsibilities. And there are indications the bribery might extend beyond the Mexican subsidiary. The stock price has taken a hit, the company faces potentially huge fines, executives could wind up in prison, and investors are suing. As is often the case, it’s not so much the bad action, but the cover-up. And it’s also whether the system, here the compliance process, was well designed, implemented and maintained.

Now to Morgan Stanley. The DOJ and SEC have long said that in enforcement actions they give credit to companies for already having a good compliance system in place, but we’ve seen little direct evidence of that. But now we have a game changer. The problems at Morgan Stanley reportedly arose when Garth Peterson, a managing director, successfully pushed for the firm to sell a real estate interest to a Chinese state-owned company, but it turned out to be a shell company in which Peterson had a direct interest, with related cash payments to himself and a Chinese official. Peterson pleaded guilty, facing a potential six-figure fine and five years in prison. But what happened to Morgan Stanley, or didn’t, is the real story here. The DOJ and SEC decided not to bring an enforcement action against the company. The reason – Morgan Stanley has had a strong compliance system, including relevant internal controls. It regularly updated controls to reflect risks of misconduct, and provided extensive training to its personnel, compliance reminders, annual confirmations by personnel, and continuous monitoring. And, when evidence of misconduct surfaced, the firm immediately began and conducted a thorough investigation.

So, there we have two well-known brand-name companies, one of which is likely to pay a high price, the other none at all and whose reputation is enhanced. The message now is clearer than ever. Engage in a cover-up, and deal with forceful regulators and angry shareholders. Have an effective compliance system and do the right thing, and the regulators and others will indeed look favorably upon the company.

You may remember hearing about problems with the College Board, which owns the SAT, and the Educational Testing Service (ETS), which administers the tests. In the recent SAT cheating scandal the College Board and ETS were accused of having lax security and a system that failed to punish cheats. But problems go back further, when a couple of years ago the SAT has serious issues with incorrect scoring of tests. And media reports speak to extensive incorrect scoring and losing test results in England in 2008, with the UK Parliament calling their operation a "shambles." And as far back as 1983 cheating was suspected in California. For details you may want to refer to my blog posting of November 2011, which includes analysis of what the accused organizations did, or rather didn’t do, to right the wrongs.

Well, we now find another player in this industry accused of wrongdoing. Princeton Review, which provides help to students in preparing for college entrance exams and sells study guides, finds itself accused of defrauding the federal government. An arm of the company that provides after-school tutoring to students at troubled schools is said to have falsified records – including forging student signatures, falsifying sign-in sheets, and making false certifications – in order to boost payments due the company. Relevant is that the company was informed of these allegations back in 2006, but prosecutors, who are now suing, say the fraud continued as nothing was done to fix the system. For what it’s worth, Princeton Review reportedly closed its tutoring division and says most of its current management joined the company after the alleged fraudulent activity took place.

But what’s striking is how the few players comprising this industry have had serious problems – not only in allowing fraud to occur, but also in failing to act in the face of wrongdoing. And this is an industry supposedly driving high academic standards! Yes, we know academic institutions are not immune to misconduct, but we can wonder how these industry players each went so very wrong. And food for thought – do we see other industries with an inordinate number of companies experiencing widespread instances of non-compliance, fraud or other misconduct? And what does that say about the culture not only of the individual organizations, but the industry as a whole? Hmmmm.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.